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Abstract 

Lenstra, Lenstra, and Lovasz in [7] proved several inequalities showing that the vectors in an 
LLL-reduced basis are short, and near orthogonal. Here we present generalizations, from which 
with k = 1, and k = n we can recover their inequalities: 

Theorem 1. Let bi,...,b n € W n be an LLL-reduced basis of the lattice L, and d\,...,dk 

arbitrary linearly independent vectors in L. Then 
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□ 

In the most general setting, we prove: 

Theorem 2. Let bi, . . . , b n € R m be an LLL-reduced basis of the lattice L, 1 < k < j < n, and 
d\, . . . ,dj arbitrary linearly independent vectors in L. Then 

det 6 fe ) < 2 k{n -^t 2+k ^~ k V i {&etL{d u ... 1 d J )) k/j , (6) 

II &i|| ••• IIM < 2 k(n - j)/2+kU - 1)/4 {detL{d 1 ,... 1 d 3 )) k/ i. (7) 

□ 
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1 Lattices and Basis Reduction 



A lattice in M m is a set of the form 

L = L(& l5 ...A) = |^AA|AiGZ, (i = l,...,m) j, (8) 

where b\,...,b n are linearly independent vectors in R m , and are called a basis of L. If B = 
[b\, . . . ,b n ], then we also call B a basis of L, and write L = L(B). The determinant of L is 

det L = VdetB T B, (9) 
where B is a basis of L, with detL actually independent of the choice of B. 

Finding a short, nonzero vector in a lattice is a fundamental algorithmic problem with many 
uses in cryptography, optimization, and number theory. For surveys we refer to j2j 3 [3], and 
[8]. More generally, one may want to find a reduced basis consisting of short, and nearly orthogonal 
vectors. 

A basis b\ , . . . , b n that is reduced according to the definition of Lenstra, Lenstra, and Lovasz [7] 
is computable in polynomial time in the case of rational lattices, and the hi are reasonably short, 



and near orthogonal, namely 

IIM < 2( n " 1 )/ 4 (detL) 1 / n , (10) 

|| bill < 2 (n - 1 ^ 2 \\d\\ for any d£L\{0}, (11) 

IIM-HIM < 2"( n - 1 )/ 4 detL. (12) 



hold. Korkhine-Zolotarev (KZ) bases, which were described in [5] by Korkhine, and Zolotarev, and 
by Kannan in [Ij have stronger reducedness properties, for instance, the first vector in a KZ basis 
is the shortest vector of the lattice. However, KZ bases are computable in polynomial time only 
when n is fixed. Block KZ bases proposed by Schnorr in [9] form a hierarchy in between: one can 
trade on the quality of the basis to gain faster computing times. 

Our Theorem 1 generalizes inequalities (jlOD through (|12f) . For instance, (pQ) with k = n yields 
(|10p . and with k = 1 yields (jlip . In turn, from ([6]) in Theorem 2 with j = k, and from ([7]) with 
j = n we recover the inequalities of Theorem 1. 

It would be interesting to see whether stronger versions of our results can be stated for KZ, or 
block KZ bases. 

As a tool we use Lemma 1 below, which may be of independent interest. For k = 1 we can 
recover from it Lemma (5.3.11) in [2] (proven as part of Proposition (1.11) in [7|). To state it, we 
will recall the notion of Gram-Schmidt orthogonalization. If b%, . . . , b n S M m is a basis of L, then 
the corresponding Gram-Schmidt vectors &*,...,&*, are defined as 

i-l 

b\ = b\ and b* = bi — f^ijbj for i = 1, . . . , n — 1, (13) 

3=1 
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with mj = (bi,bj)/{bj,bj), where (., .) is the usual inner product on W n . 

Lemma 1. Let d\,...,dk be linearly independent vectors from the lattice L, and b*,..., 6* the 
Gram Schmidt orthogonalization of an arbitary basis. Then 

detL(d 1 ,...,d k )> min {|| b* h \\ . . . \\ b* ik || } . (14) 

□ 

In the rest of this section we collect necessary definitions, and results. In Section [2] we prove 
Lemma 1, and in Section [3] we prove Theorem [2j 

We call b%, . . . , b n an LLL-reduced basis of L, if 

\fJ>ji\ < 1/2 (i = 2, ... ,n; i = 1, . . . , j - 1), and (15) 
\\b* + Vjj-tf^W 2 > 3/4 || || 2 (Kj<n). (16) 

From (1151) and (1161) it follows that 



II b* || 2 < 2*"* || 6* || 2 (1 < i < j < n). (17) 

If bi, . . . , b n are linearly independent vectors, then 

detL(&!,...A) = detL^^.-.^n-i) (18) 

where b' is the projection of b n on the orthogonal complement of the linear span of b\, . . . , b n -\. 

An integral square matrix U with ±1 determinant is called unimodular. An elementary column 
operation performed on a matrix A is either 1) exchanging two columns, 2) multiplying a column 
by —1, or 3) adding an integral multiple of a column to another column. Multiplying a matrix A 
from the right by a unimodular U is equivalent to performing a sequence of elementary column 
operations on A. 

2 Proof of Lemma 1 

We need the following 

Claim There are elementary column operations performed on d%, ■ ■ ■ , that yield di, . . . , d& with 

U 

di = ^ijbj for i = 1, . . . , fc, (19) 
i=i 

where Ajj G Z, Aj ) t j 7^ 0, and 

*fe > > ••• > h- (20) 
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Proof of Claim Let us write 

BV = [dt,...,d k ], (21) 

with V an integral matrix. Analogously to how the Hermite Normal Form of an integral matrix is 
computed, we can do elementary column operations on V to obtain V with 

tk := max{ i \ Vik / } > t k -i ■= max { i \ v^k-i ^ } > ... > t\ := max{ i \ vn ^ }. (22) 

Performing the same elementary column operations on d±, . . . , d/- yield d\, . . . ,dk which satisfy 

BV = [<*!,..., 4], (23) 

so they satisfy (fT9|) . 
End of proof of Claim 

Obviously 

det L(dx,...,d k ) = det L(d 1 ,...,d k ). (24) 
Substituting from (fT3|) for hi we can rewrite (fl~9|) as 

U 

d i = Y^ Kj h *j for t = 1, . . . , A;, (25) 
i=i 

where the X*j are now reals, but X* t . = Xi >ti nonzero integers. 
For all i we have 

]hx{d x ,...,di-x} C MftJ,...,^}. (26) 

Therefore 

|| Proj di- x } x } || > || Proj { di | { 6J, . . . , fe^_ 1 } X } || > || A Mi 6* || > || 6* || (27) 

holds, with the second inequality coming from (f20l) . So applying (fT8|) repeatedly we get 

det L(di, . . . ,d~k) > detL(di, . . . ,d k -i) \\b* k \\ 

(28) 

> \\b* tl \\\\b* t2 \\...\\b$ k l 
which together with (|24|) completes the proof. □ 



3 Proof of Theorem 1 and Theorem 2 



The plan of the proof is as follows: we first prove (pQ) through (|3|) in Theorem 1. Then we prove 
Theorem 2. Finally, Q follows as a special case of ([7]) with j = k; and © as a special case of ([7]) 
with j = n. 
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Proof of (pQ) and ([2]) Lemma CD implies 

det L(dx, ... ,(4) > KJIKII.-.H^II (29) 
for some ti,...,tk 6 {1, . . . , n} distinct indices. Clearly 

ti + --- + tfc<A:n-ifc(A;-l)/2 (30) 
holds. Applying first (fT7|) . then (|30j) yields 



(det L(d X) . . . , 4)) 2 > || &J || 2 2( 1 -*i) . . . || b\ || 2 2( 1 -^) 

= ||6*||2fc 2 fc -(*i+- +i fe) (31) 
> || 6i || 2fc 2 fc ( fc+1 )/ 2 ~ fcn 



which is equivalent to ([I]). Similarly, 



(det L(di, . . . , d k )) 2 > || || 2 2( 1 -* 1 ) || 6^ || 2 2( 2 -* 2 ) . . . || b% f 

= || fe* || 2 . . . || b% || 2 2( 1 +-+ fe )-(*i+-+**) (32) 
> ||6J|| 2 ... || 6* || 2 2 fe ( fc -™), 



which is equivalent to ([2]). 



□ 



Proof of ([3]) The proof is by induction. Let us write Dk = (det L{b\, . . . , &&)) 2 . For k = n — 1, 
multiplying the inequalities 

lk*|| 2 < 2"-*K|| 2 (i = l,...,n-l) (33) 

gives 

D n _! < 2 n ( n - 1 )/ 2 (||6;|| 2 ) n - 1 (34) 
= r^-W (J^-Y' 1 , (35) 

and after simplifying, we get 

A.-1 < 2("- 1 )/ 2 ( J D n ) 1 " 1 /". (36) 

Suppose that ([3]) is true for k < n — 1; we will prove it for k — 1. Since &i, . . . , forms an 
LLL-reduced basis of ...,&&) we can replace n by in (f36|) to get 

D fc _! < 2( fc - 1 )/ 2 (D fc )( fc - 1 )/ fc . (37) 

By the induction hypothesis, 

D k < 2 k{n - k ^ 2 (D n ) k / n , (38) 
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from which we obtain 

{D k ) {k ' l)/k < 2( k - 1) ( n - k)/2 (D n )( k ~ 1)/n . (39) 
Using the upper bound on {D k )^ k ~^l k from (|59" |) in (|57 |> yields 

Ofc-l < 2( fe - 1 )/ 2 2( fc - 1 )( n - fc )/ 2 (D„)( fe - 1 )/ fe (40) 

_ 2 (fc-l)(n-(fc-l))/2^ n )(fc-l)A> ) ( 41 ) 

as required. 

□ 



Proof of Theorem 2 From ([3]) and ([2]) we have 

detL(6i,...,6 fc ) < 2^- fc )/ 4 (detL(6 1 ,...,6,))^, (42) 
detL(bi,...,bj) < 2 j( - n ~ j V 2 detL(di,...,dj). (43) 

Raising (|43|) to the power of fc/j gives 

(detL(6i,...,6,-)) fc/i < 2 fc ( n ^)/ 2 det(L( ( ii,...,d i )) /c / J ', (44) 

and plugging (|4"1|) into ([12"]) proves ©. 

It is shown in [7j that 

II M 2 < 2^ x || b* || 2 for i = l,...,n. (45) 
Multiplying these inequalities for i = 1, . . . , k yields 

IIM-HIM < 2 fc (™- 1 V 4 detL(6 1 ,...,6 fc ), (46) 
and using (06]) with ([6]) yields ((7J). 

□ 

Remark 1. The fcth successive minimum of L is defined as the smallest real number t, such that 
there are k linearly independent vectors in L with length bounded by t. It is denoted by Afe(L). 
With the same setup as for (fl"0l) - (fl~2~|) it is shown in [7j that 

|| 6i|| < 2 n ~ l \i(L) fori = l,...,n. (47) 

For KZ, and block KZ bases similar results were shown in [6], and [TO], resp. 

The successive minimum results ()47|) give a more global, and refined view of the lattice, and 
the reduced basis, than (fTOl) through (fT2|) . Our Theorems 1 and 2 are similar in this respect, but 
they seem to be independent of (|47p. Of course, multiplying the latter for i = 1, . . . , k gives an 
upper bound on || b\ || • • • || ||, but in different terms. 
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The quantites det L(b±, . . . ,bk) and || b\ || ... \\bk\\ are also connected by 

det L(b\, . . . , bk) = \\ b\ || . . . || b^ || sin 02 • ■ ■ smO}., (48) 

where Q{ is the angle of 6j with the subspace spanned by b\, . . . , i>j_i. In [I] Babai showed that 
the sine of the angle of any basis vector with the subspace spanned by the other basis vectors in a 
(i-dimensional lattice is at least (\/2/3) d . One could combine the lower bounds on sin#j with the 
upper bounds on det L(b\, . . . ,bk) to find an upper bound on || 61 1| ... || bk \\ ■ However, the result 
would be weaker than and ©. 

Acknowledgement The first author thanks Ravi Kannan for helpful discussions. 
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